search

strukturag / libde265

Open h.265 video codec implementation.
Other
1.7k stars 457 forks source link

Stack buffer overflow in refpic.cc - dump_compact_short_term_ref_pic_set #399

Closed skensita closed 1 year ago

skensita commented 1 year ago

Tested version: libde265 v1.0.11

Description of the bug: Stack buffer overflow is triggered when processing a crafted hevc file, leads to code execution. This can be used for local or remote code execution.

Steps to reproduce the bug: Compile with Address Sanitizer (ASan) : ./hdrcopy ./74e8de752b8fb1c6ad0d9b7afe0b711106ff4efa

Address Sanitizer log:

min@min-s-jang02:~/h.265/fuzzing/test$ ./hdrcopy classifiedCrashes/74e8de752b8fb1c6ad0d9b7afe0b711106ff4efa
NAL: 0x42 0x17 -  unit type:SPS temporal id:6
INFO: ----------------- SPS -----------------
INFO: video_parameter_set_id  : 0
INFO: sps_max_sub_layers      : 1
INFO: sps_temporal_id_nesting_flag : 1
INFO:   general_profile_space     : 0
INFO:   general_tier_flag         : 0
INFO:   general_profile_idc       : Main
INFO:   general_profile_compatibility_flags: 0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0
INFO:     general_progressive_source_flag : 1
INFO:     general_interlaced_source_flag : 0
INFO:     general_non_packed_constraint_flag : 0
INFO:     general_frame_only_constraint_flag : 1
INFO:   general_level_idc         : 63 (2.10)
INFO: seq_parameter_set_id    : 0
INFO: chroma_format_idc       : 1 (4:2:0)
INFO: pic_width_in_luma_samples  : 640
INFO: pic_height_in_luma_samples : 368
INFO: conformance_window_flag    : 0
INFO: bit_depth_luma   : 8
INFO: bit_depth_chroma : 8
INFO: log2_max_pic_order_cnt_lsb : 8
INFO: sps_sub_layer_ordering_info_present_flag : 1
INFO: Layer 0
INFO:   sps_max_dec_pic_buffering      : 13
INFO:   sps_max_num_reorder_pics       : 0
INFO:   sps_max_latency_increase_plus1 : 5
INFO: log2_min_luma_coding_block_size : 3
INFO: log2_diff_max_min_luma_coding_block_size : 3
INFO: log2_min_transform_block_size   : 2
INFO: log2_diff_max_min_transform_block_size : 3
INFO: max_transform_hierarchy_depth_inter : 4127
INFO: max_transform_hierarchy_depth_intra : 256255
INFO: scaling_list_enable_flag : 0
INFO: amp_enabled_flag                    : 0
INFO: sample_adaptive_offset_enabled_flag : 0
INFO: pcm_enabled_flag                    : 0
INFO: num_short_term_ref_pic_sets : 57
INFO: ref_pic_set[  0 ]: ................|XXX.............
INFO: ref_pic_set[  1 ]: -8223X -8222o ...............X|XX..............
INFO: ref_pic_set[  2 ]: -8224X -8223X ..............oX|X...............
INFO: ref_pic_set[  3 ]: -8225X -8224X .............XoX|................
INFO: ref_pic_set[  4 ]: -8224X -8223X ..............XX|X...............
INFO: ref_pic_set[  5 ]: ................|................
INFO: ref_pic_set[  6 ]: ...............X|................
INFO: ref_pic_set[  7 ]: ................|X...............
INFO: ref_pic_set[  8 ]: ...............o|................
INFO: ref_pic_set[  9 ]: ..............XX|................
INFO: ref_pic_set[ 10 ]: ...............X|X...............
INFO: ref_pic_set[ 11 ]: ..............oX|................
INFO: ref_pic_set[ 12 ]: .............X.o|................
INFO: ref_pic_set[ 13 ]: ................|................
INFO: ref_pic_set[ 14 ]: .............o..|................
INFO: ref_pic_set[ 15 ]: ................|X...............
INFO: ref_pic_set[ 16 ]: .............o..|................
INFO: ref_pic_set[ 17 ]: ................|X...............
INFO: ref_pic_set[ 18 ]: .............o..|................
INFO: ref_pic_set[ 19 ]: ................|X...............
INFO: ref_pic_set[ 20 ]: .............o..|................
INFO: ref_pic_set[ 21 ]: ................|X...............
INFO: ref_pic_set[ 22 ]: .............o..|................
INFO: ref_pic_set[ 23 ]: ................|X...............
INFO: ref_pic_set[ 24 ]: .............o..|................
INFO: ref_pic_set[ 25 ]: ................|X...............
INFO: ref_pic_set[ 26 ]: .............o..|................
INFO: ref_pic_set[ 27 ]: ................|X...............
INFO: ref_pic_set[ 28 ]: .............o..|................
INFO: ref_pic_set[ 29 ]: ................|X...............
INFO: ref_pic_set[ 30 ]: AddressSanitizer:DEADLYSIGNAL
=================================================================
==5749==ERROR: AddressSanitizer: stack-overflow on address 0x7ffeb33be342 (pc 0x7fca58258d1e bp 0x7ffeb33b7600 sp 0x7ffeb33b7500 T0)
    #0 0x7fca58258d1d in dump_compact_short_term_ref_pic_set(ref_pic_set const*, int, _IO_FILE*) /home/min/h.256/libde265/libde265/refpic.cc:421
    #1 0x7fca5828d904 in seq_parameter_set::dump(int) const /home/min/h.256/libde265/libde265/sps.cc:727
    #2 0x55c0d1482abe in process_nal(NAL_unit*) /home/min/h.256/libde265/dec265/hdrcopy.cc:72
    #3 0x55c0d1482d7d in main /home/min/h.256/libde265/dec265/hdrcopy.cc:112
    #4 0x7fca57be2082 in __libc_start_main ../csu/libc-start.c:308
    #5 0x55c0d14826ad in _start (/home/min/h.265/fuzzing/test/.libs/hdrcopy+0x46ad)

SUMMARY: AddressSanitizer: stack-overflow /home/min/h.256/libde265/libde265/refpic.cc:421 in dump_compact_short_term_ref_pic_set(ref_pic_set const*, int, _IO_FILE*)
==5749==ABORTING

Please check the attached POC.

74e8de752b8fb1c6ad0d9b7afe0b711106ff4efa.zip

SchrodingersMind commented 1 year ago

Nice findings!

But I think that multiple submitted issues like this, #400 and #401 resulted from a single stack-based buffer overflow in dump_compact_short_term_ref_pic_set() (that is exist due to integer overflow in read_short_term_ref_pic_set()). Please, check if my commit at #402 fixes this vulnerabilities and let me know

skensita commented 1 year ago

I agree with you. stack-based buffer overflow in #399, #400 and #401 can be resolved with #402 fixes. And #402 fixes also address #398.